Error message for CWWKS9660E can be incorrect when apps do not use User Registries

[aguibert]

If someone is enabling a large amount of features (such as javaee-7.0) and their applications do not use a user registry, and does not have the default SSL config correct, they may get the error message:

[AUDIT   ] CWWKZ0058I: Monitoring dropins for applications. 
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://localhost:9082/DictionaryWeb/
[AUDIT   ] CWWKZ0001I: Application DictionaryApp started in 0.762 seconds.
[AUDIT   ] CWWKF0012I: The server installed the following features: [servlet-3.1, beanValidation-1.1, ssl-1.0, jndi-1.0, jca-1.7, jms-2.0, ejbPersistentTimer-3.2, appSecurity-2.0, j2eeManagement-1.1, jdbc-4.1, jaxrs-2.0, wasJmsServer-1.0, javaMail-1.5, monitor-1.0, cdi-1.2, webProfile-7.0, jcaInboundSecurity-1.0, jpa-2.1, jsp-2.3, ejbLite-3.2, managedBeans-1.0, jsf-2.2, ejbHome-3.2, jaxws-2.2, localConnector-1.0, jsonp-1.0, el-3.0, jaxrsClient-2.0, concurrent-1.0, appClientSupport-1.0, ejbRemote-3.2, jaxb-2.2, javaee-7.0, mdb-3.2, jacc-1.5, batch-1.0, ejb-3.2, jaspic-1.1, json-1.0, jpaContainer-2.1, distributedMap-1.0, websocket-1.1, wasJmsSecurity-1.0, wasJmsClient-2.0].
[AUDIT   ] CWWKF0011I: The server defaultServer is ready to run a smarter planet.
[ERROR   ] CWWKS9660E: The orb element with the defaultOrb id attribute requires a user registry but no user registry became available within 10 seconds.   As a result, no application will start. Ensure that you have configured an appropriate user registry in the server.xml file.

Note that CWWKS9660E indicates no apps will start, but the CWWKZ0001I message indicates that the application started OK (and is indeed usable).

To reproduce this issue, make a simple app (such as a hello servlet) and enable the javaee-7.0 feature without proper SSL configuration.

[una-tapa]

I am looking into a case where an application does not require a user registry, but need remoteEJB lookup. The remote EJB lookup fails with CWWKS9660E: "The orb element with the defaultOrb id attribute requires a user registry....." . This issue seems to be reporting the same problem.

---

According to current design, in order to use remoteEJB feature, user registry is required for following reasons:

A registry is still required to represent the unauthenticated user in the target server. The UnauthenticatedService tries to get the registry when creating the subject for the unauthenticated subject. Also, on z/OS it can use WSGUEST for example. A registry is still needed with the current security framework.

default orb element is not required in server.xml. as it is implicitly defined.
The code looks for SSL config in this implicit default orb element that makes it hard for user to understand the CWWKS9660E mesage.

Also the code further looks for user registry explicitly configured in server.xml, even though it is used for unauthenticated subject.

One of possible solution is to better document - make it easy for users to understand the remoteEJB requirement along with the implicit orb element config.

Another one would be to have implicit User Registry to handle unauthenticated subject. I am going to check how it can be done technically.

[una-tapa]

Per discussion with developers, I learned that remoteEJB-3.2 feature requires UserRegistry according to the specification because ORB instance has to have "realm" (=UserRegistry) to validate user against.

While users who use remoteEJB-3.2 feature (such as remote EJB lookup) do need to configure UserRegistry, other users who happened to include remoteEJB-3.2 as a part of convenient/bundled feature such as javaee-7.0, CWWKS9660E does not make sense. UserRegistry is not really needed for them.

Liberty needs to print informational (I:) message rather than warning. Also the message should not have "As a result... file" part. The documentation should also be updated along message change.

[ERROR ] CWWKS9660E: The orb element with the defaultOrb id attribute requires a user registry but no user registry became available within 10 seconds. As a result, no application will start. Ensure that you have configured an appropriate user registry in the server.xml file.

[una-tapa]

Following configuration successfully created ORB instance while not allowing to add any user/groups. This is handy for users who does not need user registry

• Users who enabled security but do not require ORB security.
• Users who configured user identity provider logins (such as OAuth, SAML, OIDC) that does not require user registry at all. The above configuration should not interfere according to SSO dev.

<basicRegistry id="basic" realm="dummyRealm">
</basicRegistry>

[una-tapa]

TODO: Once message is updated, open a doc defect. May test with the above registry settings.